Operational resilience is getting serious

By Gary Lynam, Director of ERM Advisory, Protecht

 

Financial Institutions must put operational resilience at the top of their agenda and step up their game in building accountability and tolerance against potential operational disruption. Prepare for potential risk events with a transactional approach or get punished by the FCA, argues Gary Lynam, Director of ERM Risk Advisory, EMEA, Protecht.

On 31 March 22, the Financial Conduct Authority (FCA) in partnership with the Bank of England and the Prudential Regulation Authority formally finalised its new Operational Resilience Rules and a phased approach for tougher financial regulation that will for the first time punish financial institutions for potential risk of operational disruption by March 2025.

Alongside this the EU has also issued new legislation for the financial services industry, the Digital Operational Resilience Act (DORA) to make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. What do these developments mean for financial institutions and how can we build resilience in and over time?

Building the capacity to recover quickly

Put simply, resilience is the ‘capacity to recover quickly from difficulties’ (OED). It’s also the ability to withstand adversity before encountering difficulties. From an operational perspective, it can be said to mean the ability to withstand adversity, recover quickly, pivot post-crisis and learn from disruptive events.

In the context of the new legislation, it mandates that businesses have satisfactorily completed a number of tasks, from identifying ‘important business services’ to ‘setting impact tolerances’ and ‘mapping and testing to identify vulnerabilities’. Failing to meet these requirements could incur a hefty fine, and will limit an organisation’s pathway to success.

Gary Lynam

Defining operational resilience

As we have noted, operational resilience is process-oriented and linked to the capacity to continue to provide critical operations and business services in the face of operational stress and disruption. On the other hand, organisational resilience looks beyond critical operational processes to the entire organisation. Thus, changes to the external environment which entail dramatic and rapid action also come into play.

The key attributes of a resilient organisation

The ISO standard on Organisational Resilience identifies the following core qualities:

  • Shared vision and clarity of purpose
  • Effective and invested leadership
  • Supportive culture
  • Shared knowledge and data
  • Available resources
  • Highly developed and coordinated management disciplines
  • Fostering continual improvement
  • Anticipating and managing change

From my own experience, I would add these additional values to the list:

  • The ability to continuously monitor and assess changing information, including identification of evolving threats
  • The capacity to make decisions quickly and pivot when necessary
  • The continual management of your workforce’s well-being, which enables them to both withstand shock and change when necessary
  • A proactive risk culture which encourages learning lessons both from internal challenges and those faced by other businesses

For continuous risk monitoring and to gain value from risk management it is worth considering deploying a robust Enterprise Risk and Resilience platform, designed for usability and accessible from multiple devices, including mobile. This will engage the whole organisation including third party vendors and keep your risk and compliance information consistent with just one system. Ideally, it will also provide detailed dashboards and high-quality reports for board and senior management. The tool must be able to simply integrate risk and resilience concepts to avoid additional IT administration.

That might seem like a daunting list of aspirational attributes but companies of all sizes need to shockproof themselves from unforeseen events so, with less than three years until the deadline, where do we begin?

Start by evaluating your current state of resilience

The first step of evaluation is asking some key questions and searching for some home truths. Explore how quickly your business can make decisions in the face of adverse challenges, including reallocating resources in a hurry. Ask how robust your relationships with key stakeholders (internal and external I.e. 3rd parties) are and whether they will come to your aid in uncertain times. Monitor the engagement level of your workforce – will they rally when the going gets tough? Find out how aligned senior executives and the C-suite are with the core vision and purpose. And look at what processes exist internally to capture lessons learned and communicate them effectively.

Once you have completed this assessment, you’ll have a good idea where the gaps are and what to do next. It is worth noting that the FCA has published two self-assessment questionnaires, which will help you with the process.

Use Business Impact Analysis

Then, we start ticking off the boxes outlined by the regulators. Use Business Impact Analysis (BIA) to identify which services are important – generally those that directly affect the customer. For example an inability to provide a financial payment at a required time, resulting in significant detriment or emotional distress to customers.

Set impact tolerances and include third parties

Having identified your important business services, you then need to determine your impact tolerances. That means the threshold of disruption for each service that would cause unbearable damage to your customers. You should also segment your customer base when you are assessing impact tolerance because there may be vulnerable demographics whose tolerance for harm is lower than others.

The impact of third parties is constantly increasing as we move to a greater level of outsourcing and shared service models. It is important to specify your working relationships with third parties, and engage them in mapping, vulnerability assessments and scenario testing when setting impact tolerances.

Process mapping and testing

To appreciate how your important business services engage with each other, you must continuously map the processes needed to deliver each service and the resources needed to perform those processes. Bear in mind, a single process might underpin multiple services and a single resource might support multiple processes. By mapping all these interconnected components, you can build a full picture of how and where disruption might strike; where your vulnerabilities are; and how to resolve them.

That’s just the beginning of the operational resilience journey but it will stand you in good stead for the incoming legislation. Recent years have shown, via a global pandemic, land war in Europe and calamitous climate change, that there are an increasing number of disruptive events which threaten the smooth running of society and business. By building operational resilience now, you’ll be better placed to withstand any storms on the horizon.

spot_img

Explore more